Open Bug 1139446 Opened 9 years ago Updated 7 months ago

Require Template-Toolkit 2.27 to correctly escape unsafe characters with FILTER uri

Categories

(Bugzilla :: Installation & Upgrading, enhancement)

enhancement
Not set
normal

Tracking

()

People

(Reporter: LpSolit, Unassigned)

References

Details

(Whiteboard: [blocker will fix])

As explained in bug 926085 comment 0, Template-Toolkit up to version 2.25 used the old RFC 2396 which considered the !,*,',( and ) characters as safe. But bug 926085 proved that at least single quotes could cause trouble when used in URLs, because single quotes are also used to quote strings in templates. The newer RFC 3986 now considers these characters as unsafe and the URI module already follows this new RFC by default, see bug 970283.

Template-Toolkit 2.26, released on Sept. 17, 2014, implemented a Template::Filters::use_rfc3986() method which makes [% FILTER uri %] to follow this new RFC. If not specified, the old RFC 2396 is used by default.

TT 2.26 is pretty new and cannot be required for Bugzilla 5.0, but for security reasons, I would suggest to require it for Bugzilla 6.0. Maybe for 5.0 we could add some check when loading Bugzilla::Template which does something like:

if (Template->VERSION >= 2.26) {
    Template::Filters::use_rfc3986();
}

Do not check Template::Filters->VERSION, because its version (2.87) has not been updated since TT 2.22.
We must not call Template::Filters::use_rfc3986() till https://github.com/abw/Template2/issues/35 is fixed as it's a severe regression. The regexp used in TT 2.26 is wrong as double quotes are no longer escaped. This regression is known for more than a year, but it got no traction at all. Shame!
(In reply to Frédéric Buclin from comment #1)
> This regression is known for more than a year, but it got no traction at all.

I decided to ping the module owner directly, and now my patch has been committed upstream. So TT 2.27 will have my fix.
Summary: Require Template-Toolkit 2.26 to correctly escape unsafe characters with FILTER uri → Require Template-Toolkit 2.27 to correctly escape unsafe characters with FILTER uri

We'll go with 3.008 per bug 1560873

Depends on: 1560873
Whiteboard: [blocker will fix]
You need to log in before you can comment on or make changes to this bug.